VPN setup questions

[MonitorMyHome]

Hello

While I work in tech, I'm a developer and rarely work with the network setup. I know enough about VPNs because of my job (and yes I've read the primer as well). Unfortunately I have an old school Verizon Modem/Router that cannot be easily replaced. So... I have some questions.

First my current network topology. I have a crappy old Verizon ActionTec ancient router at the perimeter of my home network. Most of my devices are NOT connected there except my Google Wifi. Everything else is connected to Google Wifi via a router acting as a switch.

Given this setup, this is what I believe I need to do:
1) Setup the router to port forward to a VPN server
2) Put a VPN server between my ActionTec and GoogleWifi

I think that's about all I need to quite honestly. Given I got this right, here is my question. Will a raspberry pi with OpenVPN be the best option or can I run something that supports L2TP/IPSec? I prefer not to use client apps so L2TP is my preference but it's not a very strong one.

Sorry for the bolding but those are basically the highlights.

Thanks
Sam

 

[whoami ™]

If you like the idea of being able to use L2TP, you can use SoftEther VPN server. SoftEther is a Open Source multi-protocol VPN software. It clones OpenVPN, SSTP, and L2TP. It also has its own protocol which uses Ethernet over https aka ssl over tcp port 443. It can cut through any fire wall and is undetectable as a VPN to deep packet inspection. It'd be like using Stunnel with OpenVPN and having OpenVPN listening on TCP 443 instead of UDP 1194 and using syntax -mssfix max to get a MTU of 1500.

I run SoftEther on CentOS 7 running on a Raspberry Pi on my LAN. I mostly use the openvpn protocol since SoftEther doesnt have a client for Android or iOS, but for situations where Im behind a firewall that blocks VPN I have the option to punch through it with the SoftEther client on my laptop running Windows, Linux & MacOS.

If you use L2TP/IPsec your going to need to open UDP ports 500 & 4500.
If you use OpenVPN you can change what port you want to use. But the default is UDP 1194.

Just take into account if your connected to a open WiFi and they dont have those ports open their firewall could possibly block your client.

 

[Mike A.]

Depends on what you're going for and what you want to spend but generally the better/cleaner way to go with Verizon (assuming that you don't use their TV services) is to just pull the ActionTec and replace it with another router with VPN built in. No need to use theirs with their service. Pretty much any will work. If all that you have running to it now is coax then you'd need to have the twisted pair interface turned on at the ONT and run some Cat 5e/Cat 6 cable.

If you do use TV services then there are ways to make that work too with their router behind your own but no reason to go into all of that otherwise. With their newer STBs if available where you are you probably don't even need to do that.

 

[MonitorMyHome]

... the better/cleaner way to go with Verizon (assuming that you don't use their TV services)...

I do have TV unfortunately. It's FiOS triple play so TV, phone, internet. Switching out the ActionTec as anyone with FiOS (tv,phone,internet) can attest is just a pain. I'd much rather leave that be.

If you like the idea of being able to use L2TP, you can use SoftEther VPN server. SoftEther is a Open Source multi-protocol VPN software. It clones OpenVPN, SSTP, and L2TP. It also has its own protocol which uses Ethernet over https aka ssl over tcp port 443. It can cut through any fire wall and is undetectable as a VPN to deep packet inspection. It'd be like using Stunnel with OpenVPN and having OpenVPN listening on TCP 443 instead of UDP 1194 and using syntax -mssfix max to get a MTU of 1500.

I run SoftEther on CentOS 7 running on a Raspberry Pi on my LAN. I mostly use the openvpn protocol since SoftEther doesnt have a client for Android or iOS, but for situations where Im behind a firewall that blocks VPN I have the option to punch through it with the SoftEther client on my laptop running Windows, Linux & MacOS.

If you use L2TP/IPsec your going to need to open UDP ports 500 & 4500.
If you use OpenVPN you can change what port you want to use. But the default is UDP 1194.

Just take into account if your connected to a open WiFi and they dont have those ports open their firewall could possibly block your client.

I as just hunting through my cables and electronics. I found a few today laying around a WRT54GS, a CHIP (yeah the $9 computer), and raspberry pi. I tried flashing DD-WRT on the WRT54GS but apparently that version doesn't have a VPN server. I'd love to make use of that CHIP but the RasPi is probably the easiest solution.

I didn't quite catch the SoftEther VPN "cloning" OpenVPN. Does that mean if I run SoftEther on my RasPi I would also have myself a OpenVPN server?

 

[catcamstar]

I would keep it simple, install OpenVPN on your PI, open port 443 and forward it to your VPN server instance, deploy OpenVPN client on all your devices and off you go.

The PI might not be top-notch for bandwidth performance, if you can loose another 50$, you might want to opt for an Ubiquity ER-X edgerouter, then you can go all way deep (or long) with vlans and other fancy shizzle.

Good luck!
CC

 

[Mike A.]

I do have TV unfortunately. It's FiOS triple play so TV, phone, internet. Switching out the ActionTec as anyone with FiOS (tv,phone,internet) can attest is just a pain. I'd much rather leave that be.

So you'll know for future purposes, it's really not all that tough even with TV and phone. Phone works either way (from the ONT) so you don't need to do anything for that. The STBs just need an out-going connection to the Internet so that they can periodically pull down the guide and for on-demand. So you can put yours up front and the ActionTec behind on another subnet (probably could use the same, but better to segregate things I think) and it's happy and just serves to provide a media bridge to the coax side. Their latest STBs don't use coax and just plug directly into your network so you don't need it at all in that case.

The benefit is performance, simplicity, and a single perimeter door into your net. With a secondary device that you're routing though, you need to harden and maintain that as well. The old ActionTecs also have some vulnerabilities and Verizon opens a diagnostics port where they can change things as well as a opening range of dynamic ports for various services.

The only downside is that you lose in-coming services (remote DVR programming, using their app for remote control) since the required in-coming ports are no longer able to be opened. Technically you could open things up and make that work but they use a very wide range of dynamically assigned ports for that so kind of defeats the purpose in doing so. You also lose their ability to run end-to-end diagnostics but they do still provide support for services up to the customer-installed equipment and are used to seeing that these days.

 

[whoami ™]

Yes; if you install and run Softether you will essentially be running a Softether VPN, a OpenVPN VPN, a L2TP/IPsec VPN, and a Microsoft SSTP VPN all in one so you can use what ever client you'd like. Softether actually has a easy to use server manager GUI you can control remotely (LAN) from a Windows PC once you set up the server through command line in Linux on the Raspberry Pi. You can enable / disable any protocol you wish except for Softethers. IMHO Softether is actually easier to set up than OpenVPN, as long as you use the Windows server manager to connect to your Linux box and manage the VPN server. But since your a Dev sure you know your way around the command line. If you try and set it all up in Linux using the Linux server manager you might have issues. I did... but that's another story.

While back I started to write a tutorial on my GitHub WiKi if you want to get an idea of whats involved. I dont think I got around to explaining how to manage the VPN server with the Windows server manager though.

Link to GitHub wiki below How to set up Raspberry Pi with SoftEther VPN server.
cmdwhoami/whoami_vpn.